Merge pull request #5 from gavinrogers/feature-nginx

Feature nginx

Author: bastelfreak

README.markdown

@@ -13,6 +13,7 @@ as this module requires the passenger apache module.
 
 Requires the following modules from puppetforge: [stdlib](https://forge.puppetlabs.com/puppetlabs/stdlib), [apache](https://forge.puppetlabs.com/puppetlabs/apache), [concat](https://forge.puppetlabs.com/puppetlabs/concat), [inifile](https://forge.puppetlabs.com/puppetlabs/inifile)
 
+
 ## Usage Note ##
 
 If you are using this module to install a puppetmaster and serving the manifest of 
@@ -58,7 +59,7 @@ Optionally, an `environmentpath` parameter can be supplied to configure the base
       webserver => 'nginx'
     }
 
-The default installed webserver is httpd with passenger, but via the webserver param you can switch to nginx with unicorn (nginx is currently only tested on centos7, testers are welcome)
+The default installed webserver is httpd with passenger, but via the webserver param you can switch to nginx with unicorn (nginx is currently only tested on centos7, testers are welcome). Note that if you have selinux enabled, you must have [this](https://github.com/gavinrogers/puppet-selinux) selinux module installed.
 
 ## Agent ##
     class { 'puppet::agent':

manifests/master.pp

@@ -138,6 +138,10 @@
     nginx: {
       Anchor['puppet::master::begin'] ->
       class {'puppet::unicorn':
+        certname          => $certname,
+        puppet_conf       => $puppet_conf,
+        puppet_ssldir     => $puppet_ssldir,
+        dns_alt_names     => $dns_alt_names,
         listen_address    => $listen_address,
         puppet_proxy_port => $puppet_proxy_port,
         disable_ssl       => $disable_ssl,

manifests/unicorn.pp

@@ -24,6 +24,10 @@
 # with big help from Rob 'rnelson0' Nelson and the_scourge
 
 class puppet::unicorn (
+  $certname,
+  $puppet_conf,
+  $puppet_ssldir,
+  $dns_alt_names,
   $listen_address,
   $puppet_proxy_port,
   $disable_ssl,
@@ -82,36 +86,39 @@
   }
   # update SELinux
   if $::selinux_config_mode == 'enforcing' {
-    package {['policycoreutils', 'checkpolicy', 'policycoreutils-python']:
-      ensure  => 'latest',
-    } ->
-    file {'selinux template':
-      path    =>  '/tmp/nginx.te',
-      ensure  =>  file,
-      content =>  template('puppet/unicorn_selinux_template'),
-      notify  => Exec['building_selinux_module_from_template'],
-    }
-    exec {'building_selinux_module_from_template':
-      path        => [ "/usr/bin", "/usr/local/bin" ],
-      command     => 'checkmodule -M -m -o /tmp/nginx.mod /tmp/nginx.te',
-      refreshonly => true,
-      notify      => Exec['building_selinux_policy_package_from_module'],
+    class { selinux:
+      mode  => 'enforcing'
     }
-    exec {'building_selinux_policy_package_from_module':
-      path        => [ "/usr/bin", "/usr/local/bin" ],
-      command     => 'semodule_package -o /tmp/nginx.pp -m /tmp/nginx.mod',
-      refreshonly => true,
-    }
-    file {'/usr/share/selinux/targeted/nginx.pp':
-      source => 'file:///tmp/nginx.pp',
-      require => Exec['building_selinux_policy_package_from_module'],
-    }
-    selmodule {'nginx':
-      ensure      => 'present',
-      syncversion => true,
-      require     => File['/usr/share/selinux/targeted/nginx.pp'],
+    selinux::module{ 'nginx':
+      ensure  => 'present',
+      content =>  template('puppet/unicorn_selinux_template'),
     }
   }
+
+  # first we need to generate the cert
+  # Clean the installed certs out ifrst
+  $crt_clean_cmd  = "puppet cert clean ${certname}"
+  # I would have preferred to use puppet cert generate, but it does not
+  # return the corret exit code on some versions of puppet
+  $crt_gen_cmd   = "puppet certificate --ca-location=local --dns_alt_names=$dns_alt_names generate ${certname}"
+  # I am using the sign command here b/c AFAICT, the sign command for certificate
+  # does not work
+  $crt_sign_cmd  = "puppet cert sign --allow-dns-alt-names ${certname}"
+  # find is required to move the cert into the certs directory which is
+  # where it needs to be for puppetdb to find it
+  $cert_find_cmd = "puppet certificate --ca-location=local find ${certname}"
+
+  exec { 'Certificate_Check':
+    command   => "${crt_clean_cmd} ; ${crt_gen_cmd} && ${crt_sign_cmd} && ${cert_find_cmd}",
+    unless    => "/bin/ls ${puppet_ssldir}/certs/${certname}.pem",
+    path      => '/usr/bin:/usr/local/bin',
+    logoutput => on_failure,
+    require   => File[$puppet_conf]
+  }
+
+
+
+
   # hacky vhost
   file {'puppetmaster-vhost':
     path    => '/etc/nginx/sites-available/puppetmaster',